RE: Unicast Reverse Path -ACL posted 12/18/2005
- Subject: RE: Unicast Reverse Path -ACL
- From: "Tim" <ccie2be@xxxxxxxxxx>
- Date: Sun, 18 Dec 2005 19:12:53 -0500
- In-reply-to: <firstname.lastname@example.org>
- Thread-index: AcX11Fp9c0x+4La9QUqjNMJd1pX+SwOWsSgg
Yep, this logic can be very confusing. It took me a while to "get it".
Here's the deal:
When you config the verify reverse-path command without an acl, you're
telling the router to drop any packet that comes into this interface
(remember this is an interface command) that shouldn't based on the route
Normally, this works fine as long as routing is symmetric ie packets take
the same transit path coming and going. But, suppose this isn't true.
Suppose that a router sends a packet to the right (int e0) to get to a given
destination but packets from that same destination come into the router from
the left (int s0). In this situation, the ip verify reverse-path command if
placed on the "left" interface would drop those packets.
That wouldn't be a good thing.
This is where the acl comes in. You use this acl to over ride the default
behavior of the ip verify reverse-path command and a "permit" entry tells
the router to over ride the verify command.
IOW, the acl s/b interpreted as saying this - "Permit these packets that ip
verify would drop to come in anyway."
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Sent: Wednesday, November 30, 2005 12:24 PM
To: Group Study
Subject: Unicast Reverse Path -ACL
Quick question. If i want to log all packets that fail the RPF check would i
use a permit or deny statement ? Trying to understand the logic.
R1(config-if)#ip verify unicast reverse-path 122
R1(config)#access-list 122 deny ip any any log-input
R1(config)#access-list 122 permit ip any any log-input
Subscription information may be found at: